defirisk.co
rubric v1.7.0

Rescue/emergencyWithdraw without timelock

Lombard Finance's assessment for RD-F-041 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

BridgeV2 exposes rescueERC20(IERC20 tokenContract, address to, uint256 amount) callable by owner. Whether this function is timelocked (i.e., owner is the LombardTimeLock, not the deployer EOA or Safe directly) is unconfirmed. LBTC core contract has no rescue function. Overall drain risk bounded by Consortium co-sign requirement for LBTC minting.

Sources #

  • GitHub
    https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/BridgeV2.solretrieved 2026-05-05
  • Etherscan
    https://etherscan.io/address/0x451c54981C7DA5d95901b770C540547cF5FE0A2Dretrieved 2026-05-05

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lombard factor RD-F-041 score yellow collected_at 2026-05-05 12:03:08